Wireshark mailing list archives
Issues around the handling of RSN and encryption headers in the 802.11 dissector
From: Richard Sharpe <realrichardsharpe () gmail com>
Date: Mon, 28 May 2018 09:59:47 -0700
There are a number of deficiencies in the way the 801.11 dissector handles encryption headers and RSN. One of those is that it includes the extra 4 or 8 bytes before the data (4 for WEP, 8 for others) as part of the MAC HEADER but the spec is clear that it is not part of the MAC header. It also does not show the MIC which must be there. However, another, perhaps bigger problem is that it does not correctly determine the actual type of Encryption used. There is a simple heuristic used in dissect_ieee80211_common that looks at bytes two and three of the encryption header to distinguish between TKIP and CCMP, but there are more protocols than that, including GCMP and BIP. The correct way to handle this is to look in Key Message 2 and extract the Cipher Suite from from Key Message 2 and save that so that it can be found later and then use that info to determine what type of encryption header we are dealing with and display things correctly. We could save the encryption suite info either in the airpdctx or we could create a separate hash table indexed by the src and dst (or whatever) STA addresses to contain this info. The first approach fails if a capture has more than one set of encryption setup exchanges. However, the first problem is that the code that dissects the Key Data calls through a dissector table to dissect that info ... so I am looking for ways to extract the appropriate info and make it available at the appropriate time. Thoughts welcome. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Issues around the handling of RSN and encryption headers in the 802.11 dissector Richard Sharpe (May 28)